AKF Partners has worked with over 400 companies in our history and we’ve seen a wide variety of both good and bad things. The rise of server virtualization, the spread of NoSQL in the persistence tier, and the growing prevalence of cloud hosting are some of the technology developments in recent years. In the information security arena, there are several practices that are a good indicator of overall security program efficacy. Do them well and your security program is probably in good shape. Do them poorly – or not at all – and your security program might be headed for trouble.
1. Annual Security Training and Testing
Everyone loathes mandated training topics, especially those that require a defined amount of time be spent on the training (many of which are legislative requirements). There’s no reliable method to make security training fun or enjoyable, so let’s hold our noses and focus on why it is important:
· Testing establishes accountability – people do not want to fail and there should be consequences for failure.
· Security threats change over time – annually recurring training provides a vehicle for updating awareness on current threats. Look through the OWASP Top 10 for several years to see how threats change.
· Recurring training and testing are becoming table stakes – any audit is going to start with asking about your training and awareness program.
2. Security Incident Response Plan
An IRP is not amongst the first few security policies a company needs, but when it is needed, it is needed urgently.
· A security incident is virtually a certainty over a sufficiently large time horizon.
· Similar to parachutes and fire extinguishers, planning and practice dramatically improve results.
· Evolving data privacy regulations, GDPR for instance, are likely to heighten incident disclosure requirements – a solid IRP will address disclosure.
3. Open Source Software Inventory
Open source software inventory? How is that related to security? Many consider OSS inventory as a compliance requirement – ensuring the company complies with the licensing requirements of the open source components used, particularly important if the business redistributes the software. OSS inventory also has security applicability.
· Provides ability to identify risks when open source component vulnerabilities and exploits are disclosed – what’s in your stack and is the latest exploit a risk to your business?
· Most effective when coupled with a policy on how new open source components can be safely utilized.
· Lends itself well to automation and tooling with security resource oversight.
· Efficient, serving two purposes – open source license compliance and security vulnerabilities.
What do these three security practices have in common? People – not technology. Firewall rules and the latest intrusion detection tools are not on this list. Many security breaches occur as the result of a human error leading to a compromised account or improper system access. Training and testing your people on the basics, having a plan on how to respond should an incident occur, and being able to know if an open source disclosure affects your risk profile are three human-focused practices that help establish a security-minded culture. Without the proper culture, tools and automation are less likely to succeed.